go-kratos kratos Unintended Route Exposure via DefaultServeMux Fallback Vulnerability

A vulnerability exists in go-kratos kratos versions through 2.9.2, where the HTTP server's fallback handler for unmatched routes and disallowed methods can unintentionally expose debug profiling endpoints. This occurs because the server uses http.DefaultServeMux, a global shared instance that may contain handlers registered by other packages, such as net/http/pprof', which adds unprotected debug routes. As a result, an unauthenticated remote attacker could access sensitive profiling data or disrupt service by exploiting the exposed endpoints.

Impact

Exploitation allows access to sensitive profiling data, including process command-line arguments, full goroutine stack dumps, heap memory dumps, CPU profiles, and execution traces. The exposed data could contain secrets like database passwords or API keys. Additionally, the /debug/pprof/profile endpoint, which performs a 30-second CPU profile by default, can be abused for denial-of-service by triggering multiple concurrent profiling requests.

Reproduction

To reproduce this vulnerability, create a standard Kratos application and import 'net/http/pprof' for performance debugging. Then, deploy the application with the default HTTP server settings. Once the application is running, access the /debug/pprof/ endpoint to see the profile index, which lists all available profiles. This confirms that the pprof endpoints are exposed via the DefaultServeMux fallback. Afterward, retrieve sensitive data through the various pprof endpoints, such as the command-line arguments, goroutine stacks, heap memory dump, and CPU profile.

Remediation

Users can manually override the default NotFoundHandler and MethodNotAllowedHandler to return proper HTTP error responses. Instructions for applying this workaround can be found in the Kratos documentation.